Palo Alto Firewall HA PAN-OS Upgrade

I followed the steps HERE to perform an upgrade from 6.0.4 to 6.0.6 successfully.  To summarize, the steps are:

  1. On the active fw (fw1), log into the cli and enter: request high-availability state suspend.  This will force a failover to the secondary firewall (fw2).  I lost 2 pings during the failover.
  2. Install the new PAN-OS on fw1, and reboot when requested.
  3. Once rebooted, log into the CLI and enter: show jobs all to verify auto commit has completed (it should show FIN OK).  Then log into the web gui and verify the HA state of fw1 is Passive.
  4. Now, log into fw2 (which is currently the active fw), and force failover back to fw1 with: request high-availability state suspend. I lost 0 pings during the fail-back.
  5. Install the new PAN-OS on fw2, and reboot when requested.
  6. From the web gui of fw1, monitor the HA state and verify fw2 comes back up in Passive mode.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s